Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    52s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2024, 21:05

General

  • Target

    4d3f328da9dc0f53b979075eb9334c42bfe50857fbe7c07fd7721f18ae8136e6.exe

  • Size

    474KB

  • MD5

    ff3dfe957c4a50432a070969c887c74e

  • SHA1

    15d00674419d448b92668439f265f0dbb3acb305

  • SHA256

    4d3f328da9dc0f53b979075eb9334c42bfe50857fbe7c07fd7721f18ae8136e6

  • SHA512

    5842524c90b78e33ed2b59a6ad345f6f8d6671ba15486a9340b103eaad40fc0f4da5ee9c699b1e73db35a8a4936826e1db8e966be73b5c6ba921063a83a1ef82

  • SSDEEP

    12288:Lh1Fk70TnvjcupksZzmlJqEQFLEOrGIvxRjNu9/5Z765bE/M:Rk70Trcp+ml3QeIpRjO5Z724M

Malware Config

Extracted

Family

redline

Botnet

@systemrooted

C2

45.15.156.167:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Detects executables packed with unregistered version of .NET Reactor 3 IoCs
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d3f328da9dc0f53b979075eb9334c42bfe50857fbe7c07fd7721f18ae8136e6.exe
    "C:\Users\Admin\AppData\Local\Temp\4d3f328da9dc0f53b979075eb9334c42bfe50857fbe7c07fd7721f18ae8136e6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:5064
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 928
          3⤵
          • Program crash
          PID:3968
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 5064
      1⤵
        PID:376

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1596-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

        Filesize

        4KB

      • memory/1596-1-0x0000000004AD0000-0x0000000004B30000-memory.dmp

        Filesize

        384KB

      • memory/1596-2-0x0000000074A10000-0x00000000751C0000-memory.dmp

        Filesize

        7.7MB

      • memory/1596-3-0x0000000004C00000-0x00000000051A4000-memory.dmp

        Filesize

        5.6MB

      • memory/1596-4-0x0000000004B70000-0x0000000004BD0000-memory.dmp

        Filesize

        384KB

      • memory/1596-5-0x0000000074A10000-0x00000000751C0000-memory.dmp

        Filesize

        7.7MB

      • memory/1596-8-0x0000000074A10000-0x00000000751C0000-memory.dmp

        Filesize

        7.7MB

      • memory/1596-11-0x0000000074A10000-0x00000000751C0000-memory.dmp

        Filesize

        7.7MB

      • memory/1596-13-0x0000000074A10000-0x00000000751C0000-memory.dmp

        Filesize

        7.7MB

      • memory/5064-9-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

      • memory/5064-14-0x0000000074A10000-0x00000000751C0000-memory.dmp

        Filesize

        7.7MB

      • memory/5064-15-0x0000000074A10000-0x00000000751C0000-memory.dmp

        Filesize

        7.7MB